Palo Alto Networks Inc.’s Unit 42 has identified new, difficult-to-detect remote access malware used by the Gallium advanced persistent threat group.
The Gallium APT group is believed to be a Chinese state-sponsored group and has a reputation for targeting telecommunications companies in Southeast Asia, Europe and Africa. In the last year, Gallium has expanded its targeting beyond telcos to include financial institutions and government entities.
The new trojan, dubbed “PingPull,” has the capability to leverage three protocols – ICMP, HTTP(S) and raw TCP for command and control. The three variants of PingPull create a custom string that it will send to the C2 in all interactions to identify the compromised systems uniquely.
The use of ICMP in one variant is noted as a particular concern. While ICMP tunneling is not a new technique, the Unit 42 researchers note that few organizations inspect ICMP traffic on their networks, meaning that when Gallium compromises systems, the successful infiltration may not be detected.
On a successfully compromised system, PingPull has a range of demands that allows the hackers to steal data and cause issues. These include the ability to enumerate storage volumes, list folder contents, read, write and delete files, and several other options.
“You don’t have to be in the intelligence field to understand that U.S.-based financial institutions, government agencies and other critical private sector industries will get hit,” Omer Yaron, head of research at security posture management company Enso Security Ltd., told SiliconANGLE. “We know that this is where we are headed because attackers are using applications more and more to breach organizations. This is a global trend.”
“An organization can no longer just rely on its current security tools and measures in place, the relevant security team must have a true, deep familiarity of the organization’s application security environment to be able to answer the simple question of–have I been breached? Meaning, you must really understand your assets because the attacks are unique, dynamic and constantly changing,” Yaron added. “If you don’t have a good understanding of your organization’s application environment, you won’t even know where to look, which seems like a simple first step.”
The news of PingPull comes after the U.S. government warned on June 8 that Chinese hackers are targeting known vulnerabilities. The joint Cybersecurity Advisory from the National Security Agency, the Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation detailed how hackers target and compromise major telecommunications companies and network service providers.